2bb2c59d97f7aa971f1fcd7518fcf4331550029765b0943f84d32d5eec603760

General

Target

7loader.7z
Size

7KB
MD5

4587bf3746a5674a1797ea7fe50d0893
SHA1

ea740da047d03d09b69417f6453d953392efc749
SHA256

2bb2c59d97f7aa971f1fcd7518fcf4331550029765b0943f84d32d5eec603760
SHA512

ef589aa9da32570e7c144aa56e283b67705b242bff2c846ae7a443185ad33153bf7024df2eeee17659a5cd8aadd04271e46d3afc792586c29e37448c08666b9f
SSDEEP

192:3l6hiBbdX0HxDL1zGP6uIefpImEXf6QKzntNFA:168BRX0HxDLJHuI0pIszXy

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

IEXPLORE.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f9a51feed318db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{83F4D116-A703-11EF-B31A-623C4707BF76} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{C5DFB28F-1772-4FA6-BB3B-9616BDA63935}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 11 IoCs

Processes:

7zFM.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.vir	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\vir_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\vir_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\vir_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.vir\ = "vir_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\vir_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\vir_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\vir_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\vir_auto_file\shell\open\CommandId = "IE.File"	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exeOpenWith.exe

pid process

5028 7zFM.exe
368 OpenWith.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 5028 7zFM.exe
Token: 35 5028 7zFM.exe
Token: SeSecurityPrivilege 5028 7zFM.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

7zFM.exeiexplore.exe

pid process

5028 7zFM.exe
5028 7zFM.exe
5028 7zFM.exe
1604 iexplore.exe
1604 iexplore.exe

pid	process
5028	7zFM.exe
368	OpenWith.exe

description	pid	process
Token: SeRestorePrivilege	5028	7zFM.exe
Token: 35	5028	7zFM.exe
Token: SeSecurityPrivilege	5028	7zFM.exe

pid	process
5028	7zFM.exe
5028	7zFM.exe
5028	7zFM.exe
1604	iexplore.exe
1604	iexplore.exe

Suspicious use of SetWindowsHookEx 37 IoCs

Processes:

OpenWith.exeiexplore.exeIEXPLORE.EXE

pid	process
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
368	OpenWith.exe
1604	iexplore.exe
1604	iexplore.exe
4128	IEXPLORE.EXE
4128	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

OpenWith.exeiexplore.exe

description	pid	process	target process
PID 368 wrote to memory of 1604	368	OpenWith.exe	iexplore.exe
PID 368 wrote to memory of 1604	368	OpenWith.exe	iexplore.exe
PID 1604 wrote to memory of 4128	1604	iexplore.exe	IEXPLORE.EXE
PID 1604 wrote to memory of 4128	1604	iexplore.exe	IEXPLORE.EXE
PID 1604 wrote to memory of 4128	1604	iexplore.exe	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\7loader.7z"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7zO4A3142A7\7loader.exe.vir
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4128
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\7zO4A3142A7\7loader.exe.vir
    3⤵
    PID:3568
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:17414 /prefetch:2
    3⤵
    PID:4264

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\MeasureSuspend.nfo"
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO4A3142A7\7loader.exe.vir

Filesize
44KB

MD5
2d538ba85d41c6a385e872201429380a

SHA1
aab6d07ea5390836a54b12c6836eb1106d7e9a44

SHA256
9c45ca71fda5862789cd866127e766b941de1f690b91144c1d4c1d967d1dc050

SHA512
76bc7b5b0a45147b23bac99bd7fc986c8bd407291cddffa9edf25ff88d9e8334221a48d9ab62c9bf37ab9eb7375b4ec4d2729ddeac7209c499e104f878168451

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads